Jump to content

TrojanDownloader:Win32/Unruy.D


Recommended Posts

I got this virus the first time this morning. Microsoft Security Essentials removes it, but it has reinstalled 4 times.

I follow the instructions here.

http://forums.malwarebytes.org/index.php?showtopic=9573

After I dowlnoad Defogger and click on disable, I am not asked to reboot my computer? If I do it manually, will it do what it is supposed to do?

Here is the log

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 14:40 on 16/06/2010 (Kevin)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Link to post
Share on other sites

Ok. I used common sense and rebootted my computer.

Here is the DDS.txt

________________________________________________________________________________

_________________

DDS (Ver_10-03-17.01) - NTFSx86

Run by Kevin at 15:41:39.96 on Wed 06/16/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.537 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

============== Running Processes ===============

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost -k DcomLaunch

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\PrivacyKeyboard\akl_svc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\IDrive\IDriveE Service.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\NMSSvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\IDrive\IDriveETray.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\system32\atiptaxx.exe

C:\WINDOWS\system32\SKDAEMON.EXE

C:\WINDOWS\system32\SKSMAILD.EXE

C:\Program Files\Lenovo\Mouse Suite\ICO.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Lenovo\Mouse Suite\FSRremoS.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\Lenovo\Mouse Suite\Pelmiced.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\D-Link\D-Link RangeBooster N DWA-142\wirelesscm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Aim6]

uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [iDriveE Startup] "c:\program files\idrive\IDrvieEStartup.exe" Hide

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AtiPTA] atiptaxx.exe

mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE

mRun: [PrivacyKeyboard] c:\program files\privacykeyboard\PrivacyKeyboard.exe /autorun

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Mouse Suite 98 Daemon] c:\program files\lenovo\mouse suite\ICO.EXE

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [smapp] c:\program files\analog devices\soundmax\Smtray.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\Internet.lnk -

StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\launch~1.lnk - c:\program files\microsoft office\office11\OUTLOOK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-142\wirelesscm.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: cbs.com

Trusted Zone: hotmail.com

Trusted Zone: hulu.com

Trusted Zone: lasvegasadvisor.com\www

Trusted Zone: live.com

Trusted Zone: msn.com

Trusted Zone: passport.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlins.cab

DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlsi.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxp://live.vip.com/system/web/view/live/messaging/ie/SecMgr.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab

DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab

DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://2betdsi.secureprivate.com/midascashier500_DSI/Scrubbers/IoVation/StmOCXiovation.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab

DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://iwon.oberon-media.com/online/online2/zuma/popcaploader_v5.cab

DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\467kfco5.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.lasvegasadvisor.com/forum/categories.cfm?catid=17

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-7-18 284184]

R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-7-18 91672]

R1 krnl_akl;PrivacyKeyboard Kernel Service;c:\windows\system32\drivers\krnl_akl.sys [2009-4-21 360960]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-6 607576]

R2 akl_svc";PrivacyKeyboard Service;c:\program files\privacykeyboard\akl_svc.exe [2009-4-21 59904]

R2 IDriveE Service;IDriveE Service;c:\program files\idrive\IDriveE Service.exe [2008-3-6 128464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-25 24652]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-1-3 115312]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-6-4 9344]

=============== Created Last 30 ================

2010-06-16 22:16:49 0 ----a-w- c:\documents and settings\kevin\defogger_reenable

2010-06-10 06:08:11 3244 ----a-w- c:\windows\system32\wbem\Outlook_01cb08634d629262.mof

2010-06-09 17:53:22 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-21 18:26:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 18:26:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-19 18:15:18 68224 ----a-w- c:\windows\system32\drivers\PCI.SYS

2010-05-19 16:20:25 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-19 15:55:54 0 d-----w- c:\windows\system32\wbem\Repository

2010-05-19 15:53:38 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap

2010-05-19 15:52:29 0 d--h--w- c:\windows\ie8

2010-05-19 15:49:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Megaupload

2010-05-18 15:27:12 0 dc----w- c:\windows\ie8(2)

==================== Find3M ====================

2010-05-21 21:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-08 08:07:55 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-08 08:07:55 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-03 13:39:36 2377576 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

2010-03-20 01:05:50 4874240 ------w- c:\windows\system32\dllcache\wmp.dll

2009-04-22 03:56:58 634880 --sha-w- c:\windows\system32\vkbd.exe

2008-08-02 17:14:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat

============= FINISH: 15:44:20.00 ===============

________________________________________________________________________________

_________________

I tried opening the GMER Rootkit Scanner and received an error message. I did not write it down. Something about Win32 error. Here are the details.

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : unknown

szModVer : 0.0.0.0 offset : 000708c4

The program opened, but I clicked on "Debug" on the error message. The program disappeared.

Now, I can't open any programs. No IE, MSWord. I get the following error message when trying to open it.

Svchost.exe (or WInword.exe, depending on what I try to open).

The instruction at "0x0014057c" reference memory at "0x0014057c". The memory could not be "read"

Click on OK to terminate the program.

Click CANCEL to debug the program

I am going to reboot my computer, hopefully it works on the other end.

Attach.zip

Link to post
Share on other sites

  • Root Admin

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

This place is getting busy.

Ok..attached are the ark.txt file and the Malwarebytes logs not included before. Malwraebytes did not find anything. I ran it in safe mode.

Below is the combo log.

ComboFix 10-06-16.04 - Kevin 06/17/2010 10:43:49.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -7:00]

Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kevin\Application Data\.#

c:\documents and settings\Kevin\Application Data\.#\MBX@200@3A41E8.###

c:\documents and settings\Kevin\Application Data\.#\MBX@200@3A4218.###

c:\documents and settings\Kevin\Application Data\.#\MBX@200@3A4248.###

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\BMBaJYxa.jpg

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\pyKk5BkyM.jpg

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\X42b4.jpg

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\yY57xbb8.jpg

c:\documents and settings\Kevin\Recent\XX Sports Radio.URL

c:\program files\Internet Explorer\SET107.tmp

c:\program files\Internet Explorer\SET108.tmp

c:\program files\Internet Explorer\SET109.tmp

c:\program files\Internet Explorer\SET18E.tmp

c:\program files\Internet Explorer\SET18F.tmp

c:\program files\Internet Explorer\SET190.tmp

c:\program files\Internet Explorer\SET1A9.tmp

c:\program files\Internet Explorer\SET1AA.tmp

c:\program files\Internet Explorer\SET1AB.tmp

c:\program files\Internet Explorer\SET4.tmp

c:\program files\Internet Explorer\SET5.tmp

c:\program files\Internet Explorer\SET5D.tmp

c:\program files\Internet Explorer\SET5E.tmp

c:\program files\Internet Explorer\SET5F.tmp

c:\program files\Internet Explorer\SET6.tmp

c:\program files\Internet Explorer\SET67.tmp

c:\program files\Internet Explorer\SET68.tmp

c:\program files\Internet Explorer\SET69.tmp

c:\program files\Internet Explorer\SET7.tmp

c:\program files\Internet Explorer\SET8.tmp

c:\program files\Internet Explorer\SET8F.tmp

c:\program files\Internet Explorer\SET9.tmp

c:\program files\Internet Explorer\SET90.tmp

c:\program files\Internet Explorer\SET91.tmp

c:\program files\Internet Explorer\SETA.tmp

c:\program files\Internet Explorer\SETB.tmp

c:\program files\Internet Explorer\SETC.tmp

c:\program files\Internet Explorer\SETD.tmp

c:\program files\Internet Explorer\SETD0.tmp

c:\program files\Internet Explorer\SETD1.tmp

c:\program files\Internet Explorer\SETD2.tmp

c:\program files\Internet Explorer\SETD3.tmp

c:\program files\Internet Explorer\SETD4.tmp

c:\program files\Internet Explorer\SETD5.tmp

c:\program files\Internet Explorer\SETE.tmp

c:\program files\Internet Explorer\SETF.tmp

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\win.com

.

((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))

.

2010-06-17 11:39 . 2010-06-17 11:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-16 07:01 . 2010-06-16 07:01 170576 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-06-09 17:53 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-23 03:08 . 2010-06-01 06:05 664 ----a-w- c:\documents and settings\Kevin\Local Settings\Application Data\d3d9caps.dat

2010-05-21 18:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 18:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-19 18:15 . 2010-05-19 18:15 68224 ----a-w- c:\windows\system32\drivers\PCI.SYS

2010-05-19 16:20 . 2010-05-19 16:23 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-19 15:55 . 2010-05-19 15:55 -------- d-----w- c:\windows\system32\wbem\Repository

2010-05-19 15:53 . 2010-05-19 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

2010-05-19 15:52 . 2010-05-19 15:53 -------- d--h--w- c:\windows\ie8

2010-05-19 15:49 . 2010-05-19 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 14:54 . 2008-03-06 16:12 -------- d-----w- c:\program files\IDrive

2010-06-17 11:34 . 2007-05-09 14:41 491 ----a-w- c:\windows\system32\drivers\fwdrv.err

2010-06-15 17:57 . 2010-06-15 17:57 614400 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{9340B7FD-94AF-E34A-FB37-FBB0853380B0}-IDriveEView.dll

2010-06-15 17:57 . 2010-06-15 17:57 49152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{614289E1-1181-A9B6-28D4-ADE9C9DF3B37}-SKHOOKS.dll

2010-06-15 17:57 . 2010-06-15 17:57 40820 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C112D1A8-8FEE-F821-F8EA-C4C6C9CF2054}-SYNCOR11.DLL

2010-06-05 15:12 . 2008-08-07 23:44 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-21 21:14 . 2010-01-17 15:19 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-21 18:27 . 2009-05-22 15:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 15:51 . 2008-08-03 00:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-18 22:26 . 2010-05-19 15:46 566954 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat

2010-05-06 10:41 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2006-07-29 23:03 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 1980-01-01 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-09 17:58 . 2010-04-09 17:58 666112 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-04-08 08:11 . 2010-04-08 08:11 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-04-08 08:11 . 2010-04-08 08:11 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-04-08 08:11 . 2010-04-08 08:11 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-04-08 08:11 . 2010-04-08 08:11 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-04-08 08:11 . 2010-04-08 08:11 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-04-08 08:07 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-08 08:07 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-03-28 19:22 . 2007-03-15 06:39 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2010-03-28 19:22 . 2007-03-15 06:39 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2010-03-28 19:22 . 2007-03-15 06:39 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-04-22 03:56 . 2009-04-22 03:56 634880 --sha-w- c:\windows\system32\vkbd.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2007-11-30 194000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"AtiPTA"="atiptaxx.exe" [2001-08-31 245760]

"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2002-07-01 40960]

"PrivacyKeyboard"="c:\program files\PrivacyKeyboard\PrivacyKeyboard.exe" [2009-04-22 456704]

"Mouse Suite 98 Daemon"="c:\program files\Lenovo\Mouse Suite\ICO.EXE" [2009-01-04 65536]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-08 202256]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2001-09-11 69632]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link RangeBooster N DWA-142\wirelesscm.exe [2010-2-20 20512768]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-07-18 284184]

S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-07-18 91672]

S1 krnl_akl;PrivacyKeyboard Kernel Service;c:\windows\system32\drivers\krnl_akl.sys [2009-04-22 360960]

S2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [2008-03-14 128464]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-10-04 115312]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3242847100-1755391664-2942328611-1004Core.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:22]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3242847100-1755391664-2942328611-1004UA.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:22]

2010-06-17 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]

2010-06-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3242847100-1755391664-2942328611-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3242847100-1755391664-2942328611-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cbs.com

Trusted Zone: hotmail.com

Trusted Zone: hulu.com

Trusted Zone: lasvegasadvisor.com\www

Trusted Zone: live.com

Trusted Zone: msn.com

Trusted Zone: passport.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlins.cab

DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxp://live.vip.com/system/web/view/live/messaging/ie/SecMgr.cab

DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://2betdsi.secureprivate.com/midascashier500_DSI/Scrubbers/IoVation/StmOCXiovation.cab

DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab

FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\467kfco5.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.lasvegasadvisor.com/forum/categories.cfm?catid=17

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

AddRemove-HijackThis - c:\documents and settings\Kevin\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-17 11:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3242847100-1755391664-2942328611-1004\*

ark.zip

mbam_log_2010_06_17__07_02_22_.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

http://forums.malwarebytes.org/index.php?showtopic=54291&view=findpost&p=268721

SUSPECT::

c:\windows\system32\drivers\fwdrv.err

COLLECT::

c:\windows\system32\vkbd.exe

DDS::

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

RegNull::

[HKEY_USERS\S-1-5-21-3242847100-1755391664-2942328611-1004\*

Link to post
Share on other sites

I ran the Combofix. It did finish and give me a log. HOwever, after the third stage, I received an error message.

PEV.cfxxe has encountered a problem and needs to close. stage 2.

Combofix froze until I clicked on "Send Error Report" on the error message. I do not know if the results were compromised.

Below is the log.

ComboFix 10-06-17.02 - Kevin 06/17/2010 17:03:09.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.485 [GMT -7:00]

Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kevin\Desktop\CFscript.txt

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

file zipped: c:\windows\system32\vkbd.exe

file zipped: c:\windows\system32\drivers\fwdrv.err

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\vkbd.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.

2010-06-17 11:39 . 2010-06-17 11:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-16 07:01 . 2010-06-16 07:01 170576 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-06-15 17:57 . 2010-06-15 17:57 614400 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{9340B7FD-94AF-E34A-FB37-FBB0853380B0}-IDriveEView.dll

2010-06-15 17:57 . 2010-06-15 17:57 49152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{614289E1-1181-A9B6-28D4-ADE9C9DF3B37}-SKHOOKS.dll

2010-06-15 17:57 . 2010-06-15 17:57 40820 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C112D1A8-8FEE-F821-F8EA-C4C6C9CF2054}-SYNCOR11.DLL

2010-06-09 17:53 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-23 03:08 . 2010-06-01 06:05 664 ----a-w- c:\documents and settings\Kevin\Local Settings\Application Data\d3d9caps.dat

2010-05-21 18:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 18:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-19 18:15 . 2010-05-19 18:15 68224 ----a-w- c:\windows\system32\drivers\PCI.SYS

2010-05-19 16:20 . 2010-05-19 16:23 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-19 15:55 . 2010-05-19 15:55 -------- d-----w- c:\windows\system32\wbem\Repository

2010-05-19 15:53 . 2010-05-19 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap

2010-05-19 15:52 . 2010-05-19 15:53 -------- d--h--w- c:\windows\ie8

2010-05-19 15:49 . 2010-05-19 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 14:54 . 2008-03-06 16:12 -------- d-----w- c:\program files\IDrive

2010-06-17 11:34 . 2007-05-09 14:41 491 ----a-w- c:\windows\system32\drivers\fwdrv.err

2010-06-05 15:12 . 2008-08-07 23:44 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-21 21:14 . 2010-01-17 15:19 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-21 18:27 . 2009-05-22 15:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-19 15:51 . 2008-08-03 00:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-18 22:26 . 2010-05-19 15:46 566954 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat

2010-05-06 10:41 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2006-07-29 23:03 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 1980-01-01 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-09 17:58 . 2010-04-09 17:58 666112 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-04-08 08:11 . 2010-04-08 08:11 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-04-08 08:11 . 2010-04-08 08:11 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-04-08 08:11 . 2010-04-08 08:11 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-04-08 08:11 . 2010-04-08 08:11 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-04-08 08:11 . 2010-04-08 08:11 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-04-08 08:11 . 2010-04-08 08:11 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-04-08 08:07 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-08 08:07 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-03-28 19:22 . 2007-03-15 06:39 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2010-03-28 19:22 . 2007-03-15 06:39 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2010-03-28 19:22 . 2007-03-15 06:39 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2007-11-30 194000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"AtiPTA"="atiptaxx.exe" [2001-08-31 245760]

"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2002-07-01 40960]

"PrivacyKeyboard"="c:\program files\PrivacyKeyboard\PrivacyKeyboard.exe" [2009-04-22 456704]

"Mouse Suite 98 Daemon"="c:\program files\Lenovo\Mouse Suite\ICO.EXE" [2009-01-04 65536]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-08 202256]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2001-09-11 69632]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link RangeBooster N DWA-142\wirelesscm.exe [2010-2-20 20512768]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [7/18/2006 12:02 PM 284184]

R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [7/18/2006 12:02 PM 91672]

R1 krnl_akl;PrivacyKeyboard Kernel Service;c:\windows\system32\drivers\krnl_akl.sys [4/21/2009 8:47 PM 360960]

R2 akl_svc";PrivacyKeyboard Service;c:\program files\PrivacyKeyboard\akl_svc.exe [4/21/2009 8:54 PM 59904]

R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [3/6/2008 9:12 AM 128464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/25/2007 3:12 AM 24652]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [1/3/2010 12:47 PM 115312]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3242847100-1755391664-2942328611-1004Core.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:22]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3242847100-1755391664-2942328611-1004UA.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 14:22]

2010-06-17 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]

2010-06-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3242847100-1755391664-2942328611-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3242847100-1755391664-2942328611-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cbs.com

Trusted Zone: hotmail.com

Trusted Zone: hulu.com

Trusted Zone: lasvegasadvisor.com\www

Trusted Zone: live.com

Trusted Zone: msn.com

Trusted Zone: passport.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlins.cab

DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxp://live.vip.com/system/web/view/live/messaging/ie/SecMgr.cab

DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://2betdsi.secureprivate.com/midascashier500_DSI/Scrubbers/IoVation/StmOCXiovation.cab

DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB728AxD-ckvrPc0A/etc/Microsoft.Live.Folders.RichUpload.cab

FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\467kfco5.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.lasvegasadvisor.com/forum/categories.cfm?catid=17

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-17 18:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3242847100-1755391664-2942328611-1004\*

Link to post
Share on other sites

  • Root Admin

Did STEP 2 run okay? It should have taken at least about 5 minutes or more to scan the entire driver for errors.

Please run the following.

Please visit this site and restore Firefox back to the factory default settings.

Restore Firefox Default Settings Without Uninstalling It

*********************************

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

Did STEP 2 run okay? It should have taken at least about 5 minutes or more to scan the entire driver for errors.

Step 2 did not work. A window with a black background did open for about one second, then closed.

Should I skip to step 3?

Link to post
Share on other sites

  • 2 weeks later...

The Kapersky online scanner datavase will not update. The program does download though.

The "Database Update" % stays at 0% after an hour and a half.

The first time I attempted an updated. it reached 20%, but I had to shut down my computer. I do not know if that mucked my computer up so it could not update.

I did delete my cookies, but that did not work.

Link to post
Share on other sites

  • Root Admin

Please run this online scan to help look for remnants then.

Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Link to post
Share on other sites

Here it is. Thank you for the help.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=7db3e06b56ea3044b749b41c846aed26

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-07-03 09:29:09

# local_time=2010-07-03 02:29:09 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=256 16777215 100 0 122900876 122900876 0 0

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=768 16777215 100 0 123797088 123797088 0 0

# compatibility_mode=5891 16776869 100 100 3070 7682592 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=98257

# found=2

# cleaned=0

# scan_time=10539

C:\Documents and Settings\Kevin\My Documents\toolbar.exe Win32/Toolbar.MegaUpload application 00000000000000000000000000000000 I

C:\found.000\dir0000.chk\vob[1].png probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

  • Root Admin

Good, that's fine. Please run the following and post back the MBAM log.

How is the computer running now? Are there still any signs of an infection?

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.